undefined | Better HN

0 pointsuzyn11mo ago0 comments

If C uses it without the knowledge of the original owner (A or B). With proper signCount check, C would have to increment it at its end; A or B would not have known.

When A logs in with an unincremented signCount. A and the relying party are now aware of a potential cloned authenticator and disable the compromised passkey.

0 comments

palata11mo ago

I'm sorry but it seems far-fetched to me. For signCount to be useful with shared passkeys, the attacker who managed to copy the passkey and get full access until the true owner logs in again would have to not synchronise the signCount (which they can totally do because they have full access), and it would "only" let the true owner know that the passkey is compromised.

It seems strictly worse than just sending an email saying "your passkey was used from <IP-based geolocation>, wasn't it you?".

j / k navigate · click thread line to collapse

0 comments

palata11mo ago

It seems strictly worse than just sending an email saying "your passkey was used from <IP-based geolocation>, wasn't it you?".

j / k navigate · click thread line to collapse